Netcat pivot relay

@alonso_isidoro - Jul 20 '22 - - Dev Community

The idea is that you are redirecting traffic from a port not controlled by the firewall (40) to one that is controlled by the firewall (23),ie you want to send something to the port closed by the firewall. To do this, once you have access to the destination machine, you are going to raise a netcat service listening for 23.

> nc -lvp 23
listening on [any] 23 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 42662
hello
redirecting traffic from port 40 that will be outside the control of the firewall to port 23 that will be controlled by the firewall

Enter fullscreen mode Exit fullscreen mode

Then, on another machine or on the same vulnerable machine, you are going to create a file of special characters (pivot) that will serve as a stack where to send the exploit

man mknod
NAME
mknod - make block or character special files
...


> mknod pivot p
Enter fullscreen mode Exit fullscreen mode

Create the bridge from unfiltered port 40 to fw-filtered port 23, using the stack.
When I write to port 40, I read from the stack, when I read from 23, I write to the stack.

> nc -lvp 40 0<pivot | nc 127.0.0.1 23 > pivot
listening on [any] 40 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 44386
Enter fullscreen mode Exit fullscreen mode

Finally create the connection to the vulnerable port.
What you write here is eventually written to the port supposedly filtered by the firewall.

> nc 127.0.0.1 40
hello
redirecting traffic from port 40 that will be outside the control of the firewall to port 23 that will be controlled by the firewall.
This could be some exploit to vuln port 23...

Enter fullscreen mode Exit fullscreen mode

Thanks Santiago ;)

. . . .